Provide the systemd unit.

2018-02-06 16:58:18 +01:00 · 2018-02-06 16:58:18 +01:00 · eb93ff65f9
parent 3e69865a56
commit eb93ff65f9
4 changed files with 46 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,4 +1,9 @@

+## v1.3
+
+### Features
+* Provide the systemd unit.
+
 ## v1.2.3
 * Rename firewall table to filter table (most use on Debian).

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -106,3 +106,5 @@ nft_set_host: {}
 nft_service_manage: true
 nft_service_name: 'nftables'
 nft_service_enabled: true
+nft_service_unit_path: '/lib/systemd/system/nftables.service'
+nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -41,7 +41,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: restart nftables service
+  notify: ['restart nftables service']

 - name: CONFIG generate input rules file
  template:
@ -51,7 +51,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: restart nftables service
+  notify: ['restart nftables service']

 - name: CONFIG generate output rules file
  template:
@ -61,7 +61,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: restart nftables service
+  notify: ['restart nftables service']

 - name: CONFIG generate vars definition file
  template:
@ -71,7 +71,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: restart nftables service
+  notify: ['restart nftables service']

 - name: CONFIG generate sets and maps file
  template:
@ -81,10 +81,26 @@
    group: root
    mode: 0755
    backup: yes
-  notify: restart nftables service
+  notify: ['restart nftables service']
 # }}}

 # service {{{
+
+- name: install Debian systemd service unit
+  template:
+    src: '{{ nft_service_unit_content }}'
+    dest: '{{ nft_service_unit_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: nftables__register_systemd_service
+  when: nft_service_manage
+  notify: ['restart nftables service']
+
+- name: Reload systemd daemons
+  command: systemctl daemon-reload
+  notify: ['restart nftables service']
+
 - name: SERVICE manage '{{ nft_service_name }}'
  service:
    name: '{{ nft_service_name }}'
--- a/templates/lib/systemd/system/nftables.service.j2
+++ b/templates/lib/systemd/system/nftables.service.j2
@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[Unit]
+Description={{ nft_service_name }}
+Documentation=man:nft(8) http://wiki.nftables.org
+Before=fail2ban.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=null
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=multi-user.target